INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

Transcription

1 INF3510 Information Security University of Oslo Spring 2018 Lecture 9 Identity Management and Access Control University of Oslo Spring 2018

2 Outline Identity and access management concepts Identity management models Access control models (security models) L09 - Id Man & AC INF UiO

3 IAM Identity and Access Management Configuration phase Operation phase Registration Provisioning Identity Management Self identification Authentication Authorization Access Management Access Control L09 - Id Man & AC INF UiO

4 Definition of IAM Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. Gartner, security glossary L09 - Id Man & AC INF UiO

5 The concept of identity Entities have Identities consist of Attributes Systems Persons A B C Names, Identifiers & Characteristics Organisations X Y Z L09 - Id Man & AC INF UiO

6 Concepts related to identity Entity A person, organisation, agent, system, session, process, etc. Identity A set of names / attributes of entity in a specific domain An entity may have identities in multiple domains An entity may have multiple identities in one domain Digital identity Digital representation of names / attributes in a way that is suitable for processing by computers Names and attributes of entity Can be unique or ambiguous within a domain Transient or permanent, self defined or defined by authority, interpretation by humans and/or computers, etc L09 - Id Man & AC INF UiO

7 Identity Etymology (original meaning of words) identity = same one as last time. First-time authentication is not meaningful because there is no previous time because the identity first must be created/registered Authentication requires a first time registration of identity in the form of a name within a domain Registration can be take two forms: pre-authentication, from previous identity, e.g. passport creation of new identity, e.g. new-born baby L09 - Id Man & AC INF UiO

8 Identity Domains An identity domain has a name space of unique names Same user has separate identities in different domains Silo Id Domain Service A Id-1 Identity domain structures: Silo domain with single authority, e.g. User Ids in company network Distributed hierarchic domain: e.g. DNS (Domain Name System) Federated identity domains Federated Id Domain Service B Service C Id-2 Service D User Identity domain can be used by many different service providers Requires alignment of identity policy between domains L09 - Id Man & AC INF UiO

9 Taxonomy of Identity Management Architectures Identity Management Silo Id Mgmt. Federeated Id Mgmt. Centralised Federeation Distributed Federation Hybrid Centralised Distributed Federeation L09 - Id Man & AC INF UiO

10 Silo identity management model Legend: SP/IdP A SP/IdP B SP/IdP C SP IdP X Identity domain User identifier for silo domain X Authentication token for silo domain Service logon Service provision L09 - Id Man & AC INF UiO

11 Silo Id domains SP (Service Provider) = IdP (Identity Provider): SP controls name space and provides access credentials Unique identifier assigned to each entity Advantages Simple to deploy, low initial cost for SPs Potentially good privacy Disadvantages Identity overload for users, poor usability, no business integration Low acceptance of new services with separate Id & credentials Users must provide same information to many service providers For service providers: Barrier to service bundling and data collection L09 - Id Man & AC INF UiO

12 Identity Federation Id Federation A set of agreements, standards and technologies that enable a group of SPs to recognise and trust user identities and credentials from different IdPs, CrPs and SPs. Four main types: 1.Centralized Federation: Centralised name space and management of credentials by single IdP/CrP. 2.Distributed Identity with Centralised Authentication: Distributed name spaces managed by multiple IdPs. Centralised credentials authentication by single CrP. 3.Centralised Identity with Distributed Authentication: Centralised name space managed by single IdP. Distributed mgmt. of credentials and authentication by multiple CrPs. 4. Distributed Federation: Distributed name spaces and management of credentials by multiple IdPs and CrPs. L09 - Id Man & AC INF UiO

13 Identity Federation Types Federation types Centralised Authentication Distributed Authentication Centralised Identity Centralised Google + Centralised Id Distributed Cr Distributed Identity Distributed Id Centralised Cr facebook twitter Distributed L09 - Id Man & AC INF UiO

14 Federation model types Aadhaar (India) and google+ are centralised because they control and manage the domain s name space of identities, they always verify the authentication credentials in their federations. Facebook and Twitter have distributed identities and centralised credentials because they do not manage identities which are ordinary addresses, they always verify the authentication credentials in their federations. The ID-portal Norway has centralised Id and distributed authentication because identities are national id-numbers, managed by the government multiple private credentials providers verify credentials for authentication OpenID and eduroam are distributed because multiple Id-providers control and manage name spaces for identities the same Id-providers also verify the credentials for authentication L09 - Id Man & AC INF UiO

15 Identity Federation Roles User Needs identities and credentials to access multiple SPs. Service Provider (SP) Needs to know identity of users, and needs assurance of user authenticity. Identity Provider (IdP) Controls name space of identities. Issues/registers identities for users. Credentials Provider (CrP) Issues/registers credentials for users. Performs authentication of users. Id Often combined role Cr L09 - Id Man & AC INF UiO

16 Federation protocols Authentication by one IdP/CrP/SP is communicated as a security assertions (cryptographic token) to other SPs that trust and accept the assertion of authenticity. Usually based on SAML protocol Security Assertions Markup Language Involves multiple entities User, IdP, CrP, SP, and sometimes broker entity User Service Provider (Broker) Identity/Credentials Provider L09 - Id Man & AC INF UiO

17 Advantage/Disadvantage of Federation Advantages Improved usability Allows SPs to bundle services and collect user info Strengthen privacy through pseudonym identities Disadvantages High technical and legal complexity High trust requirements between parties Each federation partner can potentially compromise security Privacy issues, Massive data collection is a threat to data privacy Limited scalability, Limited by political and economical constraints An Identity federation can become a new form of silo L09 - Id Man & AC INF UiO

18 Centralised Federation Federation Domain / Circle of Trust SP-A IdP/CrP SP-B Examples: Facebook connect Authent. to other domains Legend : SP IdP/CrP Identity domain User identifier issued by IdP Authentication cred. managed by IdP Security assertion issued by IdP Service logon Service provision Identifier mapping L09 - Id Man & AC INF UiO

19 SAML protocol profile: Browser Post Security token via front-channel Federation circle of trust Identity Provider 1 3 Service Provider 2 Browser 4 User L09 - Id Man & AC INF UiO

20 SAML protocol profile: Browser Artefact Security token via back-channel Federation circle of trust Identity Provider 1 4 Artefact 2 Token 5 The artefact is a reference to get token Browser User 6 3 Service Provider L09 - Id Man & AC INF UiO

21 OpenID Connect Protocol Federation Agreement Authentication request Request resource OpenId IdP Token Provide LogIn page Post Creds Redirect token to SP via client Client 7 Provide Creds List of IdPs Select 4 IdP 3 Redirect client to get token from IdP Forward token back to SP Service Provider 10 Token Provide resource 11 L09 - Id Man & AC INF UiO

22 OpenID Connect Characteristics Based on OpenID and OAuth 2.0 specifications SPs establish federation agreements with IdPs Beware of abuse of term authorization The OpenId Connect standard uses authorization in the meaning of authentication and access control OpenID Connect used in the Norwegian HelseID IAM for the Norwegian health sector Health professionals register OpenIds that are independent of their national person numbers Mapping between OpenIds and person number exists but is protected L09 - Id Man & AC INF UiO

23 google, facebook and twitter federations Service Provider 6 2 g+ f t Authentication with google+, FacebookConnect or twitter User requests service 3 2. Redirect to g+, f or t for authentication Browser 3. Present login form from g+, f or t 4 4. User provides Id and credentials 5. Credentials forwarded to g+, f or t User 6. Assert authenticated user 7. Provide service L09 - Id Man & AC INF UiO

24 Network access L09 - Id Man & AC INF UiO

25 (continued) EDUROAM has formal agreements with the public and private locations around Europe for network access Home Institutions (universities) are responsible for keeping user data and credentials correct and up-to-date Networks provide Internet access. L09 - Id Man & AC INF UiO

26 (Felles Elektronisk Identitet) FEIDE is a distributed federation with centralised broker for the Norwegian national education sector. Users register username and password with own home organisation Users authenticate to web-services via FEIDE s centralized login service The Service Provider receives user attributes from the user s Home Institution The Service Providers never sees the user s password/credential, it only receives user attributes that it need to know in order to provide the service. L09 - Id Man & AC INF UiO

27 (continued) FEIDE has formal agreements with the universities and schools before they are connected Home Institutions (universities and schools) are responsible for keeping user data correct and up-to-date Service Providers decide themselves what services their own users and other users should be able to access via FEIDE s central log-in service. L09 - Id Man & AC INF UiO

28 Scenario 1. User requests access to service User 2. Service Provider sends authentication request to FEIDE, and displays FEIDE login form to user. 5 1 Service Provider 4 2 FEIDE (broker) 3 Home Institution of User (IdP) 3. User enters name and password in FEIDE login form, which are sent for validation to Home Institution of user. 4. Home Institution confirms authentic user and provides user attributes to FEIDE which forwards these to SP 5. Service Provider analyses user attributes and provides service according to policy L09 - Id Man & AC INF UiO

29 5 1 User 4 Government Service Provider 2 Scenario ID-portal Norway (broker) 3 Credentials Providers: - BankID (AAL 4) - Confides (AAL 4) - Buypass (AAL 4) - MinID (AAL 3) 1. User requests service access 2. Service Provider sends authentication request to Idportal, and displays ID-portal login form to user. 3. User selects credentials provider, enters name and password in login form, which are sent for validation to credentials provider of user. 4. Credentials provider confirms authentic user and provides user attributes to ID-portal which forwards these to SP 5. Service Provider analyses user attributes and provides service according to policy L09 - Id Man & AC INF UiO

30 Norw. e-gov. Distributed Fed. with Broker Authentication methods MinID (AAL 3) Confides (AAL 4) Buypass (AAL 4) BankID (AAL 4) ID Porten DIFI Public services for citizens Tax Employment Education NAV (Social Sec.) etc. SMS PIN (AAL 2) Altinn PIN (AAL 2) Enterprise Id (AAL 4) Self-Identity (AAL 0) Altinn Brønnøysund register & IdP Public services for organizations Tax, VAT (MVA) Company registration Financial reports Subsidies etc. L09 - Id Man & AC INF UiO

31 Introduction to Logical Access Control Physical AC Physical Access Control: (not the theme today) Secret info Logical Access Control: (this lecture) Logical AC Secret info L09 - Id Man & AC INF UiO

32 Basic concepts Access control security models: How to define which subjects can access which objects with which access modes? Three classical approaches Discretionary Access Control (DAC) Mandatory access control (MAC) Role-Based Access Control (RBAC) Advanced approach for distributed environments: Attribute-Based Access Control (ABAC) Generalisation of DAC, MAC and RBAC L09 - Id Man & AC INF UiO

33 Access modes Modes of access: Authorizations specify the access permissions of subjects (users) when accessing objects (resources) If you are authorized to access a resource, what are you allowed to do to the resource? Example: possible access permissions include read - observe write observe and alter execute neither observe nor alter append - alter L09 - Id Man & AC INF UiO

34 DAC / MAC According to the Orange Book (TCSEC) TCSEC (1985) specifies two AC security models Discretionary AC (DAC) AC policy based on user identities e.g. John has (r,w) - access to HR-files John Mary HR r,w Sales r,w Mandatory AC (MAC) AC policy based on security labels e.g. secret clearance needed for access Secret Orange Book, 1985 L09 - Id Man & AC INF UiO

35 DAC Discretionary Access Control Access authorization is specified and enforced based on the identity of the user. DAC is typically implemented with ACL (Access Control Lists) DAC is discretionary in the sense that the owner of the resource can decide at his/her discretion who is authorized Operating systems using DAC: Windows and Linux L09 - Id Man & AC INF UiO

36 DAC principles AC Matrix General list of authorizations Impractical, too many empty cells Access Control Lists (ACL) Associated with an object Represent columns from AC Matrix Tells who can access the object Columns Rows Subject names Objects O1 O2 O3 O4 S1 r,w - x r S2 r - r r,w S3 - x - - S4 r,w x x x AC Matrix O1 O2 O3 O4 AC lists S1 r,w S1 - S1 x S1 r S2 r S2 - S2 r S2 r,w S3 - S3 x S3 - S3 - S4 r,w S4 x S4 x S4 x L09 - Id Man & AC INF UiO

37 ACL in Unix Each file and directory has an associated ACL Three access operations: read: from a file write: to a file execute: a file Access applied to a directory: read: list contents of dir write: create or rename files in dir execute: search directory Permission bits are grouped in three triples that define read, write, and execute access for owner, group, and others. A - indicates that the specific access right is not granted. rw-r--r-- means: read and write access for the owner, read access for group, and for others (world). rwx means: read, write, and execute access for the owner, no rights for group and no rights for others L09 - Id Man & AC INF UiO

38 Capabilities Focus on the subjects: access rights stored with subjects Represents rows of AC Matrix Must be impossible for users to create fake capabilities Subjects may grant own capabilities to other subjects. Subjects may grant the right to grant rights. Challenges: How to check who may access a specific object? How to revoke a capability? Similar to SAML security token AC Capabilities O1 O2 O3 O4 S1 r,w - x r O1 O2 O3 O4 S2 r - r r,w O1 O2 O3 O4 S3 - x - - O1 O2 O3 O4 S4 r,w x x x L09 - Id Man & AC INF UiO

39 MAC Mandatory Access Control Access authorization is specified and enforced with security labels Security clearance for subjects Classification levels for objects MAC compares subject and object labels MAC is mandatory in the sense that users do not control access to the resources they create. A system-wide set of AC policy rules for subjects and objects determine modes of access OS with MAC: SE Linux supports MAC L09 - Id Man & AC INF UiO

40 MAC principles: Labels Security Labels can be assigned to subjects and objects Can be strictly ordered security levels, e.g. Confidential or Secret Can also be partially ordered categories, e.g. {Sales-dep, HR-dep} Dominance relationship between labels ( L A L B ) means that label L A dominates label L B Object labels are assigned according to sensitivity Subject labels are determined by security clearance Access control decisions are made by comparing the subject label with the object label according to specific model MAC is typically based on Bell-LaPadula model (see later) Subject compare Object L09 - Id Man & AC INF UiO

41 Bell-LaPadula: The classical MAC model SS-property (Simple Security): No Read Up A subject should not be able to read files with a higher label than its own label, because otherwise it could cause unauthorized disclosure of sensitive information. So you should only be able to read documents with an equal or lower label as your security clearance level. *-Property (Star Property): No Write Down Subjects working on information/tasks at a given level should not be allowed to write to a lower level, because otherwise it could create unauthorized information flow. So you should only be able write to files with an equal or higher label as your security clearance level. L09 - Id Man & AC INF UiO

42 Bell-LaPadula (MAC model) SS-Property: No Read Up Current Subject Label Secret read read read Top Secret Object Labels Secret Confidential L09 - Id Man & AC INF UiO

43 Diagram Bell-LaPadula (MAC model) *-Property: No Write Down Current Subject label Secret write write write Top Secret Secret Object Labels Confidential L09 - Id Man & AC INF UiO

44 Labels in Bell La Padula Users have a clearance level L SM (Subject Max level) Users log on with a current clearance level L SC (Subject Current level) where L SC L SM Objects have a sensitivity level L O (Object) SS-property allows read access when L SC L O *-property allows write access when L SC L O L09 - Id Man & AC INF UiO

45 Bell-LaPadula label relationships Object labels L O A Subject Max label (clearance) L SM B write access Subject Current label L SC = L O E C E D F Dominance Possible L SC read access G H I L09 - Id Man & AC INF UiO

46 Combined MAC & DAC Combining access control approaches: A combination of mandatory and discretionary access control approaches is often used MAC is applied first, DAC applied second after positive MAC Access granted only if both MAC and DAC positive Combined MAC/DAC ensures that no owner can make sensitive information available to unauthorized users, and need to know can be applied to limit access that would otherwise be granted under mandatory rules L09 - Id Man & AC INF UiO

47 RBAC: Role Based Access Control A user has access to an object based on the assigned role. Roles are defined based on job functions. Permissions are defined based on job authority and responsibilities within a job function. Operations on an object are invocated based on the permissions. The object is concerned with the user s role and not the user. L09 - Id Man & AC INF UiO

48 RBAC Flexibility Users Roles Resources Role 1 File 1 User s change frequently, roles don t Role 2 File 2 Role 3 File 3 RBAC can be configured to do MAC and/or DAC L09 - Id Man & AC INF UiO

49 RBAC Privilege Principles Roles are engineered based on the principle of least privilege. A role contains the minimum amount of permissions to instantiate an object. A user is assigned to a role that allows her to perform only what s required for that role. All users with the same role have the same permissions. L09 - Id Man & AC INF UiO

50 ABAC and XACML ABAC = Attribute Based Access Control ABAC specifies access authorizations and approves access through policies combined with attributes. The policy rules can apply to any type of attributes (user attributes, resource attribute, context attributed etc.). XACML used to express ABAC attributes and policies. XACML = extensible Access Control Markup Language The XACML standard defines a language for expressing access control attributes and policies implemented in XML, and a processing model describing how to evaluate access requests according to the rules defined in policies. XACML attributes are typically structured in ontologies L09 - Id Man & AC INF UiO

51 Attribute Based Access Control ABAC makes AC decisions based on Boolean conditions on attribute values. Subject, Object, Context, and Action consist of attributes Subject attributes could be: Name, Sex, DOB, Role, etc. Each attributes has a value, e.g.: (Name (subject) = Alice), (Sex(subject) = F), (Role(subject) = HR-staff), (AccessType(action) = {read, write}), (Owner(object) = HR), (Type(object) = salary) The AC logic analyses all (attribute = value) tuples that are required by the relevant policy. E.g. permit if: [ Role(subject) = HR-staff) and (AccessType(action) = read) and (Owner(object) = HR) ] and (Time(query) = office-hours) ] L09 - Id Man & AC INF UiO 2018

52 ABAC Model Access Action Request AC Policies Meta Policy Policy 1 Policy 3 Policy 2 1 2a ABAC Functions AC decision logic AC enforcement Context Conditions 2d Access 3 Object Subject 2b Subject Attributes Name Affiliation Clearance etc. 2c Object Attributes Type Owner Classification etc. L09 - Id Man & AC INF UiO

53 Global Consistence ABAC systems require an XML terminology to express all possible attributes and their values, Must be consistent across the entire domain, e.g. the attribute Role and all its possible values, e.g. (Role(subject) = HR-staff), must be known and interpreted by all systems in the AC security domain. Requires standardization: e.g. for access to medical journals, medical terms must be interpreted in a consistent way by all systems current international work on XML of medical terms Consistent interpretation of attributes and values is a major challenge for implementing ABAC. L09 - Id Man & AC INF UiO

54 ABAC: + and On the positive side: ABAC is much more flexible than DAC, MAC or RBAC DAC, MAC and RBAC can be implemented with ABAC Can use any type of access policies combined with an unlimited number of attributes Suitable for access control in distributed environments e.g. national e-health networks On the negative side: Requires defining business concepts in terms of XML and ontologies which is much more complex than what is required in traditional DAC, MAC or RBAC systems. Political alignment and legal agreements required for ABAC in distributed environments L09 - Id Man & AC INF UiO

55 Meta-policies i.c.o. inconsistent policies Sub-domain authorities defined their own policies Potential for conflicting policies E.g. two policies dictate different access decisions Meta-policy rules needed in case the ABAC logic detects policy rules that lead to opposite decisions Meta-policy takes priority over all other policies, e.g. Meta-Policy Deny Overrides: If one policy denies access, but another policy approves access, then access is denied. This is a conservative meta-policy. Meta-Policy Approve Overrides: If one policy denies access, but another policy approves access, then access is approved. This is a lenient meta-policy. L09 - Id Man & AC INF UiO

56 End of lecture